The University of Southampton
University of Southampton Institutional Repository

The investigation of security issues in agile methodologies

The investigation of security issues in agile methodologies
The investigation of security issues in agile methodologies
This thesis is about an empirical study on the effects of using predominant security mechanisms for integration into Agile methodologies. Claims uncovered throughout our review of literature and research are presented along with our findings, analysis, and interpretation of the qualitative and quantitative phases which underscore the gap in the literature in the past few years. In this thesis the researcher uses the issues raised in the literature and incorporates empirical findings from practitioners working in the field to form a cohesive and complete investigation into the predominant security practices that are suitable to be included into Agile. Current security issues related to and applicable to popular Agile methodologies such as Scrum and eXtreme Programming (XP) are examined along with their effects on the process and the final product are researched, quantified, analyzed, interpreted, and summarized. This is done to gain a more practical and in-depth understanding of the security issues and effectiveness of methods proposed for use in the Agile software development field today. The research considered their potential for inclusion (and possible integration) into Agile methods from multiple perspectives utilizing a mixed method approach of in-depth empirical interviews, empirical surveys, and an academic experiment to test those findings. In this manuscript we present the research along with the findings obtained with our conclusions and the future direction of the research. The contribution of this work is to identify and empirically classify outstanding issues that were agreed upon by practitioners and experts in the field. The most popular of these turned out to be the addition of the security engineer or experienced developers to the Agile team to bolster the resulting software’s security assurance argument. Others aimed at modifying aspects of Agile that were deemed necessary for security include documentation, risk analysis, or the need for better tools. Building software with security in mind and the use of software security controls were also important findings from our qualitative phase of the study. This along with our own findings formed the basis of the comprehensive survey of practitioners to gauge the suitability and feasibility of those issues and solutions for possible inclusion into Agile. The significant findings from our survey suggested that the most suitable mechanisms are the addition of a dedicated Security Engineer and the use of more experienced developers to the Agile team, and the use of software security controls. Based on these results we put together an experimental trial to test the effect of more experienced developers on the Agile team on the process, the final product (which is the software produced), and the people involved (which are stakeholders in Agile projects). The statistically significant result of the experiment was in the affirmation of the hypothesis which stated that the inclusion of more experienced developer(s) to the Agile team increased the team’s overall awareness of security compared to the less experienced team(s).
Alnatheer, Ahmed
9f9931d0-118f-448c-81f3-cbdbc427be30
Alnatheer, Ahmed
9f9931d0-118f-448c-81f3-cbdbc427be30
Gravell, Andrew
f3a261c5-f057-4b5f-b6ac-c1ca37d72749

Alnatheer, Ahmed (2014) The investigation of security issues in agile methodologies. University of Southampton, Physical Sciences and Engineering, Doctoral Thesis, 395pp.

Record type: Thesis (Doctoral)

Abstract

This thesis is about an empirical study on the effects of using predominant security mechanisms for integration into Agile methodologies. Claims uncovered throughout our review of literature and research are presented along with our findings, analysis, and interpretation of the qualitative and quantitative phases which underscore the gap in the literature in the past few years. In this thesis the researcher uses the issues raised in the literature and incorporates empirical findings from practitioners working in the field to form a cohesive and complete investigation into the predominant security practices that are suitable to be included into Agile. Current security issues related to and applicable to popular Agile methodologies such as Scrum and eXtreme Programming (XP) are examined along with their effects on the process and the final product are researched, quantified, analyzed, interpreted, and summarized. This is done to gain a more practical and in-depth understanding of the security issues and effectiveness of methods proposed for use in the Agile software development field today. The research considered their potential for inclusion (and possible integration) into Agile methods from multiple perspectives utilizing a mixed method approach of in-depth empirical interviews, empirical surveys, and an academic experiment to test those findings. In this manuscript we present the research along with the findings obtained with our conclusions and the future direction of the research. The contribution of this work is to identify and empirically classify outstanding issues that were agreed upon by practitioners and experts in the field. The most popular of these turned out to be the addition of the security engineer or experienced developers to the Agile team to bolster the resulting software’s security assurance argument. Others aimed at modifying aspects of Agile that were deemed necessary for security include documentation, risk analysis, or the need for better tools. Building software with security in mind and the use of software security controls were also important findings from our qualitative phase of the study. This along with our own findings formed the basis of the comprehensive survey of practitioners to gauge the suitability and feasibility of those issues and solutions for possible inclusion into Agile. The significant findings from our survey suggested that the most suitable mechanisms are the addition of a dedicated Security Engineer and the use of more experienced developers to the Agile team, and the use of software security controls. Based on these results we put together an experimental trial to test the effect of more experienced developers on the Agile team on the process, the final product (which is the software produced), and the people involved (which are stakeholders in Agile projects). The statistically significant result of the experiment was in the affirmation of the hypothesis which stated that the inclusion of more experienced developer(s) to the Agile team increased the team’s overall awareness of security compared to the less experienced team(s).

PDF
Ahmed_Alnatheer_Thesis.pdf - Other
Download (4MB)

More information

Published date: January 2014
Organisations: University of Southampton, Electronic & Software Systems

Identifiers

Local EPrints ID: 374168
URI: http://eprints.soton.ac.uk/id/eprint/374168
PURE UUID: 628029f0-24be-4a0e-a017-f081c35d4164

Catalogue record

Date deposited: 16 Feb 2015 13:55
Last modified: 17 Jul 2017 21:28

Export record

Contributors

Author: Ahmed Alnatheer
Thesis advisor: Andrew Gravell

University divisions

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×